JoshuaDavid

@[email protected]
0 Followers
0 Following
4 Posts

This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.
Officialhttps://
Support this servicehttps://www.patreon.com/birddotmakeup
Show threadJoshuaDavid6d ago

Trivy (a very widely-used security scanner) was recently compromised. Anyone who installed the aquasecurity/trivy-action dependency by tag rather than by sha during a 3 hour period on March 19 was likely compromised. There is a Github security advisory at https://github.com/aquasecurity/trivy/security/advisories/GH...

6 separate people have tried to submit this to HN. All of the submissions are marked as [dead]. I am unsure whether this is a malicious action taken by the actors who compromised trivy or whether it's just the result of prior spam under github.com/aquasecurity, but regardless it is probably not ideal for security advisories to be auto-marked as [dead].

Trivy ecosystem supply chain briefly compromised

## Summary On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credent...

GitHub
JoshuaDavid6d ago

Attempts to post the latest Trivy security incident have been marked [dead]

https://news.ycombinator.com/from?site=github.com%2Faquasecurity

Submissions from github.com/aquasecurity | Hacker News